dashboard admin(groups/users) implementation and integrating with dynamic application config #303
Conversation
… test This reverts commit 47e10e4.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## workspace-pr-integr #303 +/- ##
========================================================
+ Coverage 35.17% 55.93% +20.76%
========================================================
Files 1885 2254 +369
Lines 36421 42172 +5751
Branches 6672 7487 +815
========================================================
+ Hits 12810 23590 +10780
+ Misses 22761 17225 -5536
- Partials 850 1357 +507
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
...kspace/server/saved_objects/integration_tests/workspace_saved_objects_client_wrapper.test.ts
Outdated
Show resolved
Hide resolved
...kspace/server/saved_objects/integration_tests/workspace_saved_objects_client_wrapper.test.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.test.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
| const adminGroups = config?.dashboardAdmin?.groups || []; | ||
| const adminUsers = config?.dashboardAdmin?.users || []; | ||
| const groupMatchAny = groups?.some((group) => adminGroups.includes(group)) || false; | ||
| const userMatchAny = users?.some((user) => adminUsers.includes(user)) || false; |
There was a problem hiding this comment.
Shall we remove ? after users and groups?
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.test.ts
Outdated
Show resolved
Hide resolved
config/opensearch_dashboards.yml
Outdated
| # Set the backend roles in groups or users, whoever has the backend roles or exactly match the user ids defined in this config will be regard as dashboard admin. | ||
| # Dashboard admin will have the access to all the workspaces and objects inside OpenSearch Dashboards. | ||
| # workspace.dashboardAdmin.groups: ["dashboard_admin"] | ||
| # workspace.dashboardAdmin.users: ["dashboard_admin"] |
There was a problem hiding this comment.
The naming workspace.dashboardAdmin may confuse me, it sounds like the admin for dashboard type only. I come few names like workspace.dashboardsAdmin,
workspace.admin or workpsace.superAdmin
There was a problem hiding this comment.
workspace.admin may be confusing as admin of workspace stands for the the users who have write permission on specific workspaces, vote for superAdmin.
There was a problem hiding this comment.
If there is no configuration named workspace.admin, would workspace.superAdmin also be confused?
| @@ -140,6 +144,24 @@ export class WorkspaceSavedObjectsClientWrapper { | |||
| return false; | |||
| }; | |||
|
|
|||
| private isDashboardAdmin(request: OpenSearchDashboardsRequest): boolean { | |||
There was a problem hiding this comment.
Prefer renaming to isRequestByDashboardAdmin.
…shboards into pr-integr-dashboard-admin
Signed-off-by: yubonluo <yubonluo@amazon.com>
yubonluo
changed the title
Signed-off-by: yubonluo <yubonluo@amazon.com>
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
Signed-off-by: yubonluo <yubonluo@amazon.com>
| @@ -83,8 +88,35 @@ export class WorkspacePlugin implements Plugin<{}, {}> { | |||
| if (isPermissionControlEnabled) { | |||
There was a problem hiding this comment.
Shall we move the permission control logic to a separate method like setupPermission? It seems over 30 lines.
There was a problem hiding this comment.
Sure, I have moved the related logic to a separate setupPermission method.
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
| @@ -66,8 +70,32 @@ const getDefaultValuesForEmpty = <T>(values: T[] | undefined, defaultValues: T[] | |||
| return !values || values.length === 0 ? defaultValues : values; | |||
| }; | |||
|
|
|||
| export const isRequestByDashboardAdmin = ( | |||
There was a problem hiding this comment.
Prefer move to some utils file
There was a problem hiding this comment.
Have moved to src/plugins/workspace/server/utils.ts and add unit test.
| @@ -51,6 +51,8 @@ const repositoryKit = (() => { | |||
|
|
|||
| const permittedRequest = httpServerMock.createOpenSearchDashboardsRequest(); | |||
| const notPermittedRequest = httpServerMock.createOpenSearchDashboardsRequest(); | |||
| const groupIsDashboardAdminRequest = httpServerMock.createOpenSearchDashboardsRequest(); | |||
| const UserIdIsDashboardAdminRequest = httpServerMock.createOpenSearchDashboardsRequest(); | |||
There was a problem hiding this comment.
Prefer renaming to userIdIsDashboardAdminRequest
There was a problem hiding this comment.
There is no relevant logic of users/groups in the wrapper, so I uniformly use the dashboardAdminRequest name in the test file.
| @@ -59,6 +61,8 @@ describe('WorkspaceSavedObjectsClientWrapper', () => { | |||
| let osd: TestOpenSearchDashboardsUtils; | |||
| let permittedSavedObjectedClient: SavedObjectsClientContract; | |||
| let notPermittedSavedObjectedClient: SavedObjectsClientContract; | |||
| let groupIsDashboardAdminSavedObjectedClient: SavedObjectsClientContract; | |||
| let UserIdIsdashboardAdminSavedObjectedClient: SavedObjectsClientContract; | |||
There was a problem hiding this comment.
Prefer userIdIsdashboardAdminSavedObjectedClient
There was a problem hiding this comment.
There is no relevant logic of users/groups in the wrapper, so I uniformly use the dashboardAdminSavedObjectedClient name in the test file.
| request, | ||
| adminGroups ? [adminGroups] : [], | ||
| adminUsers ? [adminUsers] : [], | ||
| this.permissionControl! |
There was a problem hiding this comment.
Should we use assert here, permissionControl is inited above and its type is fixed.
There was a problem hiding this comment.
You are right, the relevant logic has been deleted.
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
| groups: string[], | ||
| users: string[], |
There was a problem hiding this comment.
Nit: I'd recommend combine these two params into a param named principals: Principals.
There was a problem hiding this comment.
I think using deconstructed code is more conducive to subsequent use.
| @@ -55,12 +60,98 @@ export class WorkspacePlugin implements Plugin<{}, {}> { | |||
| }); | |||
| } | |||
|
|
|||
| private isRequestByDashboardAdmin( | |||
There was a problem hiding this comment.
Can be a util function inside another file.
There was a problem hiding this comment.
Have moved to src/plugins/workspace/server/utils.ts and add unit test.
|
|
||
| private async setupPermission( | ||
| core: CoreSetup, | ||
| config: WorkspacePluginConfigType, |
There was a problem hiding this comment.
Can we leverage the existing property config$?
| } catch (e) { | ||
| return toolkit.next(); | ||
| } | ||
| if (groups.length === 0 && users.length === 0) { |
There was a problem hiding this comment.
If the cluster does not require authentication, anyone can be dashboardAdmin I think.
@ruanyl @wanglam @raintygao what do you think?
There was a problem hiding this comment.
Makes sense, a bit like OSD without security plugin installed that will have almost admin permissions. Also want to hear other's thoughts.
There was a problem hiding this comment.
You mean to update isDashboardAdmin state to true if groups.length === 0 && users.length === 0 when both the security plugin and savedObject.permission.enabled are open.
| updateWorkspaceState(request, { | ||
| isDashboardAdmin: groupMatchAny || userMatchAny, | ||
| }); |
There was a problem hiding this comment.
From the function name, I do not think it appropriate to update anything inside this function.
There was a problem hiding this comment.
Sure, I will change the function name to updateDashboardAdminStateForRequest
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
|
@ruanyl If you have any concerns, Please help me view this PR. |
| this.workspaceSavedObjectsClientWrapper.wrapperFactory | ||
| ); | ||
| } | ||
| if (isPermissionControlEnabled) await this.setupPermission(core, { applicationConfig }); |
There was a problem hiding this comment.
Seems the await is not needed here.
| @@ -64,12 +70,80 @@ export class WorkspacePlugin implements Plugin<WorkspacePluginSetup, WorkspacePl | |||
| }); | |||
| } | |||
|
|
|||
| private async setupPermission( | |||
There was a problem hiding this comment.
No need to declare as a async function here I think
| updateWorkspaceState(request, { | ||
| isDashboardAdmin: false, | ||
| }); |
There was a problem hiding this comment.
Why don't we use updateDashboardAdminStateForRequest method here?
There was a problem hiding this comment.
If users/groups is null, we can prevent the program from running down in advance. Meanwhile, configGroups/configUsers has not been obtained.
| configGroups ? [configGroups] : [], | ||
| configUsers ? [configUsers] : [] |
There was a problem hiding this comment.
| configGroups ? [configGroups] : [], | |
| configUsers ? [configUsers] : [] | |
| configGroups ? configGroups : [], | |
| configUsers ? configUsers : [] |
configGroups and configUsers should already be array I think?
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
Signed-off-by: yubonluo <yubonluo@amazon.com>
…shboards into pr-integr-dashboard-admin
Signed-off-by: yubonluo <yubonluo@amazon.com>
| import { getWorkspaceState } from '../../../core/server/utils'; | ||
| import { AppPluginSetupDependencies } from './types'; | ||
| import { Observable, of } from 'rxjs'; | ||
| import { error } from 'console'; |
There was a problem hiding this comment.
I will use throw new Error('') to replace it.
Signed-off-by: yubonluo <yubonluo@amazon.com>
This reverts commit 47e10e4.
Description
dashboard admin(groups/users) implementation and integrating with dynamic application config
Issues Resolved
Screenshot
Testing the changes
This function can only be used when the workspace and security plugin are open.
If you want to turn on dynamic application configuration, you must change
opensearch_dashboards.yml:Below is the CURL command to view all configurations.
Below is the CURL command to view the configuration of an entity.
Below is the CURL command to update the configuration of an entity.
Below is the CURL command to delete the configuration of an entity.
Check List
yarn test:jestyarn test:jest_integration